Privacy Policy
Last updated: March 2026
TokenShift (“we“, “us“, or “our“) is committed to protecting the privacy of visitors to tokenshift.ai (the “Site“). This Privacy Policy explains what personal data we collect, why we collect it, how we process it, and what rights you have under the General Data Protection Regulation (EU) 2016/679 (“GDPR“).
1. Data Controller
The data controller responsible for your personal data is:
- Company: TokenShift
- Founder & Director: Pascal Marie
- Registered address: Paris, France
- Contact: contact@tokenshift.ai
2. Categories of Personal Data Collected
We collect personal data through the following channels:
2.1 Contact / Engagement Request Form
When you submit a contact or engagement request through our Site, we may collect:
- Full name
- Email address
- Company name
- Professional role / job title
- Industry sector
- Employee band (company size range)
- Urgency level
- Desired timeline
- Project context / free-text description
2.2 AI-Readiness Self-Assessment
When you complete our self-assessment tool, we may collect:
- Full name
- Email address
- Company name
- Professional role / job title
- Primary AI adoption blocker
2.3 Newsletter Subscription
If you subscribe to our newsletter, we collect your email address (and optionally your name).
2.4 Cookies & Analytics
We collect technical data through cookies and analytics tools. Please refer to our Cookie Policy for full details.
3. Purposes of Processing
We process your personal data for the following purposes:
- Qualifying engagement requests — to understand your needs and determine how TokenShift can help your organisation with AI transition.
- Providing self-assessment results — to generate and deliver your personalised AI-readiness score and recommendations.
- Newsletter delivery — to send you periodic insights on enterprise AI adoption (only with your explicit consent).
- Website analytics — to understand how visitors use the Site and to improve its content and performance.
- Security — to protect the Site against malicious activity, spam, and unauthorised access.
4. Legal Bases (Article 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Contact form & self-assessment submissions | Consent (Art. 6(1)(a)) |
| Newsletter subscription | Consent (Art. 6(1)(a)) |
| Website analytics | Legitimate interest (Art. 6(1)(f)) |
| Security monitoring | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interest, our interest is to ensure the Site functions correctly, to measure its effectiveness, and to protect it from threats. We have carried out a balancing test and concluded that these interests do not override your fundamental rights and freedoms.
5. Third-Party Data Processors
We share personal data with the following processors, each of which acts under a data processing agreement:
| Processor | Service | Data Location |
|---|---|---|
| Google LLC | Google Analytics (tag GT-PLTRVXMH) | United States (EU Standard Contractual Clauses) |
| Brevo (Sendinblue) | Email marketing & CRM | European Union |
| OVHcloud | Website hosting | European Union (France) |
| Complianz | Cookie consent management | European Union |
| Wordfence (Defiant Inc.) | Website security & firewall | United States (EU Standard Contractual Clauses) |
6. International Data Transfers
Some of our processors are based outside the European Economic Area (EEA). Where personal data is transferred to countries that have not received an adequacy decision from the European Commission, we ensure appropriate safeguards are in place:
- Google LLC (United States): EU Standard Contractual Clauses (SCCs) and supplementary measures.
- Defiant Inc. / Wordfence (United States): EU Standard Contractual Clauses (SCCs).
- Brevo, OVHcloud, Complianz: Data processed within the EU; no international transfer required.
7. Data Retention
- Form submissions (contact requests, self-assessment results): retained for 24 months from the date of submission, then permanently deleted unless an ongoing client relationship exists.
- Newsletter subscriber data: retained until you unsubscribe. You may unsubscribe at any time via the link in each email or by contacting us.
- Analytics data: retained for 14 months (Google Analytics default with our configuration).
- Cookies: retention periods vary by cookie. See our Cookie Policy for details.
8. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data:
- Right of access (Art. 15) — obtain confirmation of whether your data is being processed and request a copy.
- Right to rectification (Art. 16) — request correction of inaccurate data.
- Right to erasure (Art. 17) — request deletion of your data (“right to be forgotten”).
- Right to restriction (Art. 18) — request that processing be restricted in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest at any time.
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at: contact@tokenshift.ai
We will respond to your request within one month of receipt, as required by GDPR.
9. Right to Lodge a Complaint
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for TokenShift is:
Commission Nationale de l’Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. The “Last updated” date at the top of this page indicates the most recent revision. We encourage you to review this policy periodically.